Dozens of lawmakers will get their chance starting Tuesday to grill Facebook CEO Mark Zuckerberg in public — but they will need to get creative to pin him down about the data privacy scandal embroiling the company.

The 33-year-old Zuckerberg has been on a whirlwind public relations tour in recent days, apologizing repeatedly for what he calls a “big mistake" in allowing Cambridge Analytica, a firm connected to President Donald Trump’s campaign, to obtain data on as many as 87 million users. Facebook has also unveiled a new look for its privacy settings and announced that it has kicked other suspect developers off its platform.

Story Continued Below

Zuckerberg and Facebook have still left a lot unexplained, however — including what they knew, when they knew it and why their 2.2 billion users should trust the company's privacy promises now.

Here are several questions members of the Senate Judiciary Committee, Senate Commerce Committee and House Energy and Commerce Committee could ask if they want those answers:

1. Why didn’t you follow up in 2015 after you demanded that Cambridge Analytica delete the Facebook data it had obtained? Now we know that Cambridge Analytica might never have scrubbed those records. Did you just take their word for it? What would Facebook do differently today?

Facebook officials have not said explicitly why they did not inform the public at the time of the violation. Zuckerberg, though, has suggested that he considered the situation resolved once both Cambridge Analytica and Aleksandr Kogan, the U.K.-based academic researcher who originally acquired the data, certified they’d purged the records.

But last month, an investigation by The New York Times and The Observer in London concluded that Cambridge Analytica may have never deleted that information.

Asking about how seriously Facebook tried to make sure the data had been erased could help lawmakers understand whether it was misled by an especially nefarious actor — or if it neglected to do the kind of due diligence the public expects from a multibillion-dollar company.

If it turns out that Facebook was negligent in ensuring that Cambridge Analytica deleted its ill-gotten data trove, it raises the possibility that an unknown number of caches of user records might be floating around — perhaps in the hands of other firms focused on changing political outcomes in the United States.

By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

2. In 2011, you promised the Federal Trade Commission you would take steps to protect users’ privacy the way they expect. Did you violate that agreement? What additional powers do federal agencies like the FTC need to keep companies like yours in check?

Facebook’s 2011 consent decree with the FTC came in response to complaints that the company had allowed third-party app developers to gain access to the data it collects from users. Facebook’s behavior, the FTC concluded at the time, ran counter to what users had agreed to in their privacy settings.

Some former FTC officials have suggested that last month’s Cambridge Analytica revelations mean that Facebook violated the agreement and ought to face millions or even billions of dollars in fines. Under the agreement, Facebook could face penalties of up to $16,000 for each violation.

The vocal public reaction to the privacy breach indicates that many of those people never imagined their information would be exposed via an app called “thisisyourdigitallife” developed by Kogan, who is alleged to have passed it to Cambridge. Only 270,000 users downloaded Kogan’s app, but under Facebook’s policies at the time, the app was also allowed to harvest data from their friends.

Facebook says it tightened those policies years ago. Chief Operating Officer Sheryl Sandberg, discussing the Cambridge Analytica imbroglio last week, said that “we’re very confident that that was in compliance with the FTC consent decree.” But the FTC has confirmed it's investigating the case and said it takes the reports about Facebook's privacy practices "very seriously."

If Zuckerberg sticks with the company line, it could give momentum to critics’ argument that federal authorities, including the FTC, are powerless to keep Silicon Valley in check — and need Congress to give them stronger teeth.

3. At some point during the 2016 U.S. presidential race, you must have realized that Cambridge Analytica had close ties to Republican politics, including the Trump campaign. Why didn’t you tell American voters then about the data violation?

Cambridge Analytica was launched in 2013 by co-founders including Steve Bannon — who years later became Trump’s campaign CEO — and major conservative backer Robert Mercer. But Zuckerberg told reporters last week that he "certainly didn't" know in 2015 about Cambridge Analytica's significance in Republican political circles.

Some observers have asked whether Facebook should have disclosed — either to the public, Hillary Clinton’s campaign or both — during or immediately after the 2016 election that a company with ties to the Trump campaign had improperly gotten hold of all that data. If the campaign had access to that data, these people say, it could have represented an advantage to Trump’s White House bid that only Facebook knew about.

Former Clinton campaign manager Robby Mook sounded that exact theme when POLITICO asked about Zuckerberg's take on Cambridge Analytica's significance. "There is now a proof of concept as to how personal data we share on social media platforms — not just social media platforms themselves — can be weaponized against us in the election," he said.

4. Did any of the data shared with Cambridge Analytica also end up in the hands of the Russian government or Russian government-linked entities?

This question could steer the Facebook controversy in a whole new direction — while aiding in the ongoing investigations into Russia’s 2016 election interference and questions about possible coordination with Trump’s campaign. In essence: Did Cambridge's data help the Russians pick the targets they chose when spreading disinformation online in the U.S.?

Former Cambridge Analytica employee Christopher Wylie, who first called attention to the improperly handled data, has fueled speculation that Kogan could have stored his data in Russia after harvesting it, leaving it exposed to the Kremlin’s cyber spies. Kogan at times has worked with Russian researchers at St. Petersburg State University.

Facebook may be able to claim ignorance on this one, though — how would it know where the data went after it left the company's oversight?

Lawmakers could also get at this question indirectly by asking whether any of the Russia-linked Facebook ads that ran during the 2016 campaign were seen by — or targeted to — the Facebook users whose data was shared with Cambridge Analytica. The answer could hint at whether the Kremlin’s online trolls were going off the same data set.

5. Facebook has said “malicious actors” who abused its search functions may have collected data on “most people on Facebook” — data that could aid identity theft. Were any of these “malicious actors” linked to Russia, the Russian government or the Russian entities that purchased ads or built fake pages during the 2016 election?

Facebook revealed last week that digital scammers had been misusing the platform’s powerful search tool and account recovery feature to hoover up information that is useful for identity theft schemes. Facebook estimated last week that “most” of the 2 billion “people on Facebook” could have been affected.

Essentially, cyber experts think digital crooks were taking stolen information for sale on the black market, such as phone numbers, and using it to look up full names, home addresses and other information about Facebook users. Such a wealth of data can help build profiles that are then used for identity fraud. Former regulators have said Facebook’s inability to police this behavior may also violate the company’s 2011 consent decree with the FTC.

And Facebook has not said whether these “malicious actors” were only cyber criminals, leaving open the question of whether government-linked hackers also abused these features.

6.Despite the rumors, you’ve denied having an interest in running for president of the United States. But you’ve also done some of the same things a candidate would do, like touring middle America. Why should Americans still trust you as a national leader?

In 2017, after what Zuckerberg called "a tumultuous year" marked by Trump's election, the Facebook CEO announced a goal of meeting with Americans from every state in the union. That journey found Zuckerberg meeting with voters in places like Iowa, Ohio and Texas — sparking chatter he had his own eye on the White House.

The CEO has insisted that the trips had nothing to do with aspirations for high office, saying the tour was designed to give him a "broader perspective" about Facebook's work and his philanthropic initiative.

But whether Zuckerberg sees his future self in the Oval Office or in the CEO suite, his plans depend on the American public placing a great deal of trust in him and his judgment — and the Cambridge Analytica situation has shaken that belief.